The UK Information Commissioner’s Office has fined a Greenford, England-based catalogue retailer £1,350,000 for using the personal information of over 145,000 consumers to target the company’s health products marketing. According to the ICO, Easylife Limited employed a third-party marketing company that used 80 “trigger products” to flag customers for follow up communications marketing medical and quasi-medical products. Easylife inferred that consumers suffered certain medical conditions (such as arthritis) based on the products they had purchased. The company did not obtain consumers’ consent to use their personal data for health product profiling, or to receive marketing calls based on what the ICO termed “invisible” processing of health data.*
Easylife’s data use practice continued between August 2019 and August 2020, a period when the General Data Protection Regulation was in force in the United Kingdom. According to the ICO, under the GDPR, transactional purchase data constitutes personal data, and Easylife used that data to influence its telemarketing decisions, thereby processing special category data without a legal basis. The company failed to inform individuals of the type of processing that would occur with their data, as required by Article 13 of GDPR. The ICO concluded that Easylife had contravened Article 5(1)(a) of the GDPR, and imposed a £1,350,000 penalty based on the nature, gravity and duration of the infringement, Easylife’s poor track record of regulatory compliance, and the company’s objective to gain an advantage over rival businesses and sell targeted products to individuals.
The ICO’s investigation revealed that, in addition to the GDPR infringement described above for serious deficiencies in the way Easylife collected, processed and used special category (health-related) data of thousands of individuals, Easylife had also infringed Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Regulation 21 prohibits the making of unsolicited, non-consensual calls for direct marketing purposes to telephone numbers that are registered with the Telephone Preference Service Ltd (“TPS”) on behalf of the ICO. The ICO identified over 1.3 million unsolicited calls made by Easytlife or on Easylife’s behalf between August 2019 and August 2020 to numbers registered with the TPS. The ICO determined that although these calls did not constitute deliberate contraventions of Regulation 21 of PECR, a company of Easylife’s size and age ought reasonably to have known that a contravention might occur; and as a company whose business model involves live call direct marketing, Easylife should have taken appropriate and necessary organizational steps to comply with the PECR. The company’s contravention of Regulation 21 was therefore, in the ICO’s opinion, negligent. Moreover, Easylife was put on notice of potential PECR violations through contact with the ICO and other regulatory authorities. Taking into account all relevant factors, including the concurrent GDPR investigation, the ICO imposed a monetary penalty of £ 130,000 for Easylife’s serious contravention of the PECR, in addition to the GDPR penalty.
* Easylife did claim to have removed from its call lists those individuals who had previously opted out of marketing calls.